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Abstract 

Despite of being quite similar agreement problems, consensus and general k-set agreement 
require surprisingly different techniques for proving the impossibility in asynchronous systems 
with crash failures: Rather than relatively simple bivalence arguments as in the impossibility 
proof for consensus (= 1-set agreement) in the presence of a single crash failure, known proofs 
for the impossibility of A;-set agreement in systems with f ^ k > 1 crash failures use algebraic 
topology or a variant of Spemer's Lemma. In this paper, we present a generic theorem for 
proving the impossibility of A:-set agreement in various message passing settings, which is 
based on a simple reduction to the consensus impossibility in a certain subsystem. 

We demonstrate the broad applicability of our result by exploring the possibility /impossibility 
border of A;-set agreement in several message-passing system models: (i) asynchronous systems 
with crash failures, (ii) partially synchronous processes with (initial) crash failures, and (iii) 
asynchronous systems augmented with failure detectors. In (i) and (ii), the impossibility part is 
just an instantiation of our main theorem, whereas the possibility of achieving A;-set agreement 
in (ii) follows by generalizing the consensus algorithm for initial crashes by Fisher, Lynch and 
Patterson. In (iii), applying our technique yields the exact border for the parameter k where 
A;-set agreement is solvable with the failure detector class (S^, r2fc)i^fc^„_i of Bonnet and 
Raynal. Considering that was shown to be necessary for solving k-set agreement, this result 
yields new insights on the quest for the weakest failure detector 
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I. Introduction 

Agreement problems like consensus and set agreement are undoubtly the most prominent target for 
exploring the solvability/impossibility border in fault- tolerant distributed computing. In such problems, 
every process pi, I ^ i ^ n, in a. distributed system owns a local proposal value Xi, and the problem is to 
irrevocably compute local output values (also called decision values) yi that satisfy certain properties. For 
consensus, no two processes may decide on different values, for set agreement, the number of different 
decision values must be at most n — 1 system-wide. An obvious generalization is A;-set agreement, 
which requires that the number of different decision values is at most k; clearly, consensus is just 1-set 
agreement, whereas set agreement is equivalent to (n— l)-set agreement. 

Due to the landmark FLP impossibility result |[T4l . which employs (now classic) combinatorial argu- 
ments (bivalence proofs), it is well-known that consensus is impossible to solve in asynchronous systems 
if a single process may crash. The corresponding result for general A;-set agreement is the impossibility 
of solving this problem in asynchronous systems if f ^ k processes may crash. Surprisingly, establishing 
this result requires quite involved techniques based on algebraic topology or a variant of Sperner's lemma 

a, im, m. 

Another very simple and well-known technique for establishing impossibility results are partitioning 
arguments, which have been used successfully for many distributed computing problems [13|. Essentially, 
a partioning argument exploits the fact that one cannot guarantee agreement among those processes of a 
distributed system that never, neither directly nor indirectly, communicate with each other. In this paper, 
we use partitioning arguments in a — to the best of our knowledge — new way: as a means for reduction. 

More specifically, we present a theorem that provides us with a surprisingly generic tool for proving the 
impossibility of fc-set agreement in message-passing systems. It works by reducing the impossibility of 
k-set agreement to the impossibility of achieving consensus in a certain subsystem: In a nutshell, failures 
and asynchrony in the models considered allow to partition the system into k parts, the processes of which 
must decide on their own and hence, by choosing distinct proposal values, on different values. Obviously, 
this leads to at least k different decision values system-wide. The impossibility of k-set agreement then 
follows by showing that it is impossible to reach consensus in at least one of these parts. 

Related work: 

Actually, we are not aware of much research that uses similar ideas: We have employed reduction already 
in m to show that consensus is impossible in certain partially synchronous models, and to prove the 
tightness of our generalized loneliness failure detector C{k) for fc-set agreement. We also learned recently 
that similar reduction arguments are employed in [5J. In |[l], reduction to asynchronous set agreement 
is used to derive a lower bound on the minimum size of a "synchronous window" that is necessary for 
k-set agreement. 

Detailed Contributions: 

• We present a generic impossibility result for k-set agreement that can be applied to a wide variety 
of message-passing system models and failure assumptions. Our result neither assumes specific 
assumptions on the (a)synchrony of the model nor on the types of failures that can occur. While the 
main purpose of this theorem is to derive general impossibility results that hold for all algorithms in 
a specific model, it also turned out to be useful for quickly checking whether a candidate algorithm 
allows runs that make k-set agreement impossible. 

• We introduce the notion of T-independence for message passing systems, which is related to the 
progress condition fomialism of [,24J . 
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• We revisit the impossibility of k-set agreement in asynchronous systems with crash failures (some 
of which are not initial crashes), with (and without) partially synchronous processes. Applying our 
generic theorem reveals the border that separates impossibility and possibility in this setting. 

• Furthermore, by extending the algorithm for initial crashes of 1,14,1 to general /c-set agreement, we 
show that the impossibility border is tightly matched. 

• Finally, we shift our focus to asynchronous systems with failure detectors. We use our theorem to 
show that (Sfc, U^) is too weak to solve fc-set agreement for 1 < < n — 1. 

II. System Models and Failure Assumptions 

We use the computing model of ifTTl . extended with the possibility of querying failure detectors. In [11], 
32 different models are defined by varying 5 core system parameters (e.g., synchrony of processes and 
communication, transmission mechanism, etc.), each of which can be chosen in a way that is either 
favourable (F) or unfavourable (U) for the algorithm. Informally speaking, we add a 6"^ dimension to the 
model: 

6. Failure Dectectors 
U. Processes do not have access to failure detectors. 
F. Processes can query a failure detector at the beginning of each step. 

For the sake of brevity, we will not repeat the whole formal model of lOTI here. Instead, we just 
introduce the necessary notations and explain the changes necessary for dealing with A;-set agreement. 
The details of the case where failure detectors are available will be filled in in Section III-CI 

We consider a system 11 = {pi, . . . of n processes with unique id's {1, . . . , n} that communicate 
via message-passing, using messages taken from some (possibly infinite) universe M. 

The communication subsystem is modeled by one buffer per process, which contains messages that 
have been sent to that process but not yet received. Every process p G 11 is modeled as a deterministic 
state machine, which has a local state (program counter, local variables) that incorporates an input value 
Xp initialized to some value from a finite set of values V, and a write-once output value yp € F U {_L} 
initialized to _L F. All other components of the local state are initialized to some fixed value. 

State transitions are guided by a transition relation, which atomically takes the current local state of p, 
a (possibly empty) subset of messages L from p's current message buffer, and, in case of failure detectors, 
a value from the failure detector's domain, and provides a new local state. Sending of messages is guided 
by a deterministic message sending function, which determines a possibly empty set of messages that 
are to be sent to the processes in the system, i.e., maps the current state and the subset of messages L 
to a subset of 11 x M. Every message {q, m) in this subset is sent by just putting m into g's buffer. 

A configuration of the system consists of the vector of local states and the message buffers of all the 
processes; in the initial configuration, all processes are in an initial state and the message buffers are 
empty. 

A run p = (Co, Ci, . . . ) is an infinite sequence of configurations that starts from an initial configuration 
Co, and Cj+i results from a legitimate (according to the transition relation and message sending function) 
step of a single process p in configuration Cj. 

The above basic model is strengthened by restricting the set of runs by some admissibiUty conditions 
that depend on the particular system model M used. For example, the FLP model lfT4l . denoted as 
^ASYNC^ requires that (1) every correct process takes an infinite number of steps, (2) faulty processes 
execute only finitely many steps and may omit sending messages to a subset of receivers in the very last 
step, and (3) every message sent by a process to a correct receiver process is eventually received. 

With the exception of Section [Till we will assume systems adhering to the asynchronous model 
^ASYNC^ sometimes augmented with a failure detector (Section [II-CI ) or with the assumption of partially 
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synchronous processes (Section |V]l. 

A. k-Set Agreement 

We study distributed algorithms that solve agreement problems, namely, k-set agreement. Their purpose 
is to compute and irrevocably set the output yp of process p to some decision value, based on the proposal 
values Xq G V , for 1 ^ q ^ n and \V\ ^ ni\ which must satisfy the following properties: 
fc-Agreement: Processes must decide on at most k different values. 
Validity: If a process decides on v, then v was proposed by some process. 
Termination: Every correct process must eventually decide. 

Note that the agreement property binds together the decision values of all (correct or faulty) processes. 
For k = I, k-set agreement is hence equivalent to uniform consensus [7|. It follows from [14] that 
non-uniform and hence also uniform consensus cannot be solved in asynchronous systems if just one 
process may crash. 

B. Restrictions of Algorithms and Indistinguishability of Runs 

We will occasionally use a subsystem JVt' that is a restriction of M, in the sense that it consists of a 
subset of processes in 11, while using the same mode of computation (atomicity of computing steps, 
time-driven vs. message-driven, etc.) as M. We make this explicit by using the notation 

M = (n) and M' = (D), 

for some set of processes D C IT. Note that this definition does not imply anything about the synchrony 
assumptions which hold in A4'. All that is required is that A4' is computationally compatible with A4: 
Any algorithm designed for A4 can also be run in Ai', albeit on a smaller set of processes. 

Definition 1 (Restriction of an Algorithm). Let A be an algorithm that works in system M = (11) and let 
D C n be a nonempty set of processes. Consider a restricted system M' = {D). The restricted algorithm 
A^D for system M' is constructed by dropping all messages sent to processes outside D in the message 
sending function of A, obtaining the message sending function of A^jj. 

Note that we do not change the actual code of algorithm A in any way. In particular, the restricted 
algorithm still uses the value of |n| for the size of the system, even though the real size of D might be 
much smaller 

Whereas this is sufficient for running an algorithm designed for M in the restricted system M.', in 
practice, one would also remove any dead code (resulting from state transitions triggered by message 
arrivals from processes in Il\D, from the transition relation of A to obtain the actual transition relation 
of Note that we use A4a to denote the set of runs of algorithm A in model M. 

We will use a concept of similarity/indistinguishability of runs that is slightly weaker than the usual 
notion EOl Page 21], as we require the same states only until a decision state is reached. This makes 
a difference for algorithms where p can help others in reaching their decision after p has decided, for 
example, by forwarding messages. 

Definition 2 (Indistinguishability of Runs). Two runs a and /3 are indistinguishable ( until decision ) for 
a process p, if p has the same sequence of states in a and /3 until p decides. By a ~ /3 we denote the 
fact that a and /3 are indistinguishable (until decision) for every p £ D. 

'The assumption \V\ ^ n allows runs where all processes start with different propose values. 
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Definition 3 (Compatibility of Runs). Let TZ and TZ' be sets of runs. We say that runs TZ' are compatible 
with runs TZ for processes in D, denoted hy IZ' TZ, if Va ^ TZ' 3(3 ^ IZ: a ^ j3. 

C. Failure Detectors and Failure Patterns 

A failure detector [6 1 V is an oracle that can be queried by processes in any step, before making a state 
transition. The definition of failure detectors is based on the notion of a global time, which we did not 
introduce yet. Recall that a run is a sequence of configurations, where Cj results from a single step of a 
single process p in configuration Cj_i. We call this step the ith step of the run, and consider it to occur 
at time i. Note that processes do not have access to time. 

The failure pattern F{.) of a run a is a function that outputs the set of crashed processes for a given 
time t; that is, p G F{t), if there is no i ^ t, such that the ith step of the run is a step of p. Moreover, 
we denote the set of faulty processes in the run as F = IJt>o -^(^)- 

The behaviour of D in a run a depends on the failure pattern F{.), which defines the set of admissible 
failure detector histories. The value of a query of a process p in a step at time t is defined by the history 
function H{p,t), which maps process identifiers and time to the range of output symbols of V. Clearly, 
a run in a system augmented with failure detectors is admissible, if all state transitions occur according 
to a legal history H of V, given the failure pattern of the run. 

We denote the augmented asynchronous model, where runs are admissible in M^^^'^*^ and processes 
can query failure detector V in any step, as (M^^™^ ,V). If there is an algorithm A that solves problem P 
in {'M^^™'^ ,V), we say that V solves P. We say that algorithm Ax>-^v transforms V to V, if processes 
maintain output variables output d' that emulate failure detector histories of V, which are admissible 
for F{.). 

Based on this notion of transforming oracles, [6 1 introduces a comparison relation on failure detectors: 
We say that V' is weaker than T> and call T> stronger than V, if such an algorithm Axi^v exist. If there 
is also an algorithm Ax>'-^t>, we say that V and V are equivalent. If no such algorithm Ax>'^v exists, 
we say that V is strictly stronger than V; strictly weaker is defined analogously. If neither Axi^v nor 
Ax>'^T> exists then we say that V and V are incomparable. A failure detector T>' is the weakest for 
problem P if D is weaker than any failure detector V that solves P. 

While the weakest failure detector for message passing k-set agreement is still unknown, the quorum 
family was shown in |31 to be necessary for solving k-set agreement with any failure detector X, in 
the sense that there is a transformation that implements Sjt in the system (M'^^™'', Af). 

We will now restate the failure detector classes and O^; see fTH for a recent overview of failure 
detectors for k-set agreement. 

Definition 4 (cf. Q). The generalized quorum failure detector Yl^, with S = Si, outputs a set of trusted 
process ids, such that for all environments £ and for all failure patterns F{.) € £ the following holds: 
Intersection: For every set of /c + 1 processes {pi, . . . ,Pk+i} and for all /c + 1 time instants ti, . . . , 

there exist indices i and j with l^i^j^k + 1, such that H{pi, ti) n H{pj,tj) ^ 0. 
Liveness: 3t W ^ t ^pi ^ F : H{pi,t') n F = 0. 

If a process p crashes at time t, i.e., p G F{t), we define 'it' ^ t: H{p, t') = IT. 

Definition 5 (cf. |[2ll ). The output of the generalized leader oracle Ofc, for 1 ^ A; ^ n — 1, satisfies the 
following properties: 

Validity: For all processes p and all times t, history H{p, t) is a set of k process identifiers. 
Eventual Leadership: There exists a time tcsT and a set LD, such that 

{LD n (n \ F) / 0) A (Vt ^ fcsT yp ■■ H{p, t) = LD). 
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III. The Impossibility Theorem 

In this section, we will present our general k-set agreement impossibility theorem. Due to its very broad 
applicability, the theorem itself is stated in a highly generic and somewhat abstract way. It captures a 
reasonably simple idea, however, which boils down to extracting a consensus algorithm for a certain 
subsystem where consensus is unsolvable: Suppose that a given A;-set agreement algorithm A for some 
system model M has runs, where processes start with distinct values and k partitions Di, . . . , Dfc-i and 
D can be formed: Processes in the k — 1 partitions Di decide on (at least) k — 1 different values, and no 
process in partition D ever hears from any process in Di before it decides. Note carefully that processes 
in D can communicate arbitrarily within D. Then, the ability of A to solve k-set agreement would imply 
that the restricted algorithm A^j^ can solve consensus in the restricted model M' = {D). However, if 
the synchrony and failure assumptions of M are such that consensus cannot be solved in M.', this is a 
contradiction. This intuition will become completely clear when we apply Theorem [T] in Sections |V] and 

m 

Theorem 1 (k-Set Agreement Impossibility). Let M = (11) be a system model and consider the runs 
Ma that are generated by some fixed k-set agreement algorithm A in M, where every process starts with 
a distinct input value. Fix some nonempty disjoint sets of processes Di, . . . , D^^i, and a set of distinct 
decision values {vi, . . . , Vf^^i}. Moreover, let D = Ui<i<fc ^« '^"'^ D = Il \ D. Consider the following 
two properties: 

(dec-D) For every set Di, value Vi was proposed by some process in D, and there is some process in 
Di that decides on Vi. 

(dec-D) If Pj € D then pj receives no messages from any process in D until after every process in D 
has decided. 

Let Tlfj)) ^ M.A cmd Tl^jj 75^ ^ M.A be the sets of runs of A where (dec-D) respectively both, (dec-D) 
and (dec-D), hold^ Suppose that the following conditions are satisfied: 

(A) '^(D) nonempty. 

(B) ^^(D) ^£)'^(D,~D)- 

In addition, consider a restricted model M' = (D) such that the following hold: 

(C) There is no algorithm that solves consensus in M'. 

(D) M'A_^-iyMA. 

Then, A does not solve k-set agreement in M. 

Proof: For the sake of a contradiction, assume that there is a A;-set agreement algorithm A for 
model M, sets of runs Tl^) and 7^^^ ^J) and some sets of processes Di, . . . , D^^i such that conditions 
(A)-(D) hold. Due to (A) we have "/^(TJ) 7^ 0; then, (B) implies that 7^^^ -^^ is nonempty too. Observe 
that (dec-D) ensures that there are ^ A; — 1 distinct decision values among the processes in D, in every 
run in TZ^^ -j^y Since algorithm A satisfies fc-agreement, the compatibility requirement (B) between runs 
Tl^p-^ and 7?.^^ -^^ for processes in D implies the following constraint: 

(Fact 1) In each run in Tl^y all processes in D must decide on a common value. 

We will now show that this fact yields a contradiction. Starting from i.e., the set of runs of the 

restricted algorithm in model M', we know by (D) that for each p' € there exists a run p € TWa 

^Note that TZ^-jj^ is by definition compatible with the runs of the restricted algorithm A,-^. 
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such that p' ~ p. Obviously, no process p ^ D receives messages from a process q & D in p' before p's 
decision, as such a process q does not exist in the restricted model M'. Clearly, the same is true for the 
indistinguishable run p (even though such a process q does exist in model M). Therefore, we have that, 
in fact, p € 'Tl(jjy and due to (Fact 1), we know that in each run p' € all processes decide on 

the same value. This, however, means that we could employ A^-j^ to solve consensus in M', which is a 
contradiction to (C). ■ 

Remarks 

There are several noteworthy points about Theorem [T] 

• The proof neither restricts the types of failures that can occur in M nor the underlying synchrony 
assumptions of M in any way. 

• Our impossibility argument uses a 2-partitioning argument but does not require the system to 
(temporarily or permanently) decompose into k + 1 partitions. In particular, there is no further 
restriction on the communication among processes within D and within D. 

• Despite its main purpose of showing impossibilities, our theorem is also useful when developing new 
algorithms for achieving A;-set agreement. For example, suppose that we are given some unproven but 
seemingly promising new algorithm A for a model close to asynchrony. Then, checking whether the 
runs of A are such that the conditions of Theorem [T] are satisfied will allow us to determine already 
at an early stage (i.e., before developing a detailed correctness analysis) whether it is worthwhile 
to explore A further. In particular, if (dec-D) can be satisfied in some runs, i.e., (A) holds, the 
algorithms is very likely flawed, as the remaining conditions are typically easy to construct in 
sufficiently asynchronous systems. 

• At a first glance, requirement (B) might appear to be redundant. After all, it should always be 
possible to find a run in T^^^ -^^ that is indistinguishable for the processes in D, given some run in 
'R'fijy We will now try to give an intuition for its necessity; in the proof of Theorem (TO] we will 
see that (B) is non-trivial in realistic settings. 

To see why (B) is necessary, first consider some run 7 (of some algorithm in some model M) 
that satisfies property (dec-D). This stipulates k — 1 distinct decision values among the processes 
in D, which essentially means that 7 was a quite "asynchronous" run for the processes in D. It 
could therefore be the case that the synchrony assumptions of M require 7 to be "synchronous" 
for the processes in D. Now suppose that we are given a run a € and we need to find a 

run /3 € TZ^j^ that is indistinguishable for processes in D, in order to make (B) hold. If a is an 
"asynchronous" run for the processes in D, we might not be able to find a matching run /3 E jyy 
as the above setting requires such runs to be "synchronous" for the processes in D. Consider, for 
example, the (highly artificial) model where computing speed and communication among processes 
in D is synchronous in a run if and only if the processes in D decide on at least k — 1 distinct 
values. Clearly it does not hold that Tl^j^^ ^-g- T^^jj 75^ in this scenario. 

IV. T-Independence 

We proceed with introducing a convenient notion for message passing systems, which is similar to the 
progress conditions of concurrent objects [18], [24| in shared memory models. Bear in mind that we only 
consider algorithms for decision tasks, like fe-set agreement; that is, every correct process must eventually 
decide. 

Definition 6 (T-independence). Consider a model M = (11) and let T C 2^^ be a family of sets of 
processes. We say that A satisfies T-independence in M, if for all sets 5" G T it holds that the subset 



6 



of runs of j4 in M where processes in S only receive messages from other processes in S until every 
process in S either decides or crashes, is nonempty. 

If, in addition, the subset of runs of A in M, where processes in S eventually only receive messages 
from other processes in S until every process in S either decides or crashes, is nonempty, we say that 
A satisfies strong T -independence in M. 

Observation 1. The following properties obviously hold: 

(a) If algorithm A satisfies strong T -independence in M, then A also satisfies T -independence in M. 

(b) If algorithm A satisfies T -independence in M and T' C T, then A satisfies T' -independence in M. 



We can express the following classic progress conditions in terms of T-independence: Wait-freedom 11161 
provides strong 2^ -independence. Moreover, obstruction-freedom implies {{pi} , • • • , {p„}}-independence. 
The classic assumption of an f -resilient algorithm guarantees strong {S" | (S" C n) A (IS*! ^ [n| — /)}- 
independence, whereas using (non-strong) {S" | (5 C 11) A {\S\ ^ |n| — /)}-independence holds when 
up to / initial crash failures can be tolerated. Analogously to |[T8l . T-independence also enables us to 
specify asymmetric progress conditions, e.g., strong {S \ {pi} CSC 11} -independence is guaranteed by 
wait-freedom of process pi. 

V. Impossibility in the Partially Synchronous and Asynchronous Case 

It is easy to show that k-set agreement is impossible in the purely asynchronous model, if we assume a 
wait-free environment: It suffices to simply delay all communication until every process has decided on 
its own propose value. When the number of failures is somewhat restricted and/or the model is partially 
synchronous, however, a more involved argument is necessary. In this section, we will show how to avoid 
proving the impossibility "from scratch" by instantiating Theorem [T] 

Theorem 2. There is no algorithm that solves k-set agreement in a system 1\[ of n processes where 

• processes are synchronous, 

• communication is asynchronous, 

• a process can broadcast a message in an atomic step, and 

• receiving and sending are part of the same atomic step, 
for any 

n — 1 

k ^ 7, (1) 

n- f 

even if, of the f possibly faulty processes, f — 1 can fail by crashing initially and only one process can 
crash during the execution. 

Proof: Assume in contradiction that some /-resilient algorithm A solves fc-set agreement. We will 
show that conditions (A)-(D) of Theorem [T] are satisfied, thus yielding a contradiction. 

As a first step, we will identify suitable sets Di such that (A)-(B) hold for the runs in ^1(0^ and 
^(D T5y respectively. Let ^ = n — /; for 1 ^ i < A;, define Di = . . . and let 

D= J A- 

Note that the failure assumption ([T) guarantees that these sets Di exist. 

Lemma 3. The set D contains at least n — / + 1 processes, and every Di, 1 ^ i < k, contains exactly 
i = n — f processes. 
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Proof: Since obviously \Di\ = i, we are done if we can show that l^l + n — f + l^n, i.e., 

{k - l)(n - f) + {n- f + 1) = k{n- f) + l = M + l^n, 

which matches exactly ([T]). ■ 
Moreover, the failure bound ([T) together with the fact that communication is asynchronous, immediately 
implies the following lemma: 

Lemma 4. Algorithm A is {Di, . . . , Dk_i, -independent. 

We now show the conditions of Theorem [T] 

(A) By Observation [I](b) and Lemma |4] it follows immediately that "^-0^ 7^ 0- 

(B) Consider the set of runs H where all communication between the sets of processes Di, . . . , Dk~i, D 
is delayed until every correct process has decided; Lemma 5] implies that H For any p € Tlij)) 
it is easy to find one p' G Ti, where all processes in D go through the same states until deciding. 
Moreover, clearly T-L C 7^^^ thus establishing (B). 

(C) Now consider a system M' = {D) that has the same system assumptions as M, with the restriction 
that at most one process can crash in M' at any time. Condition (C) follows immediately from the 
result of inn Table I], since we have already shown in Lemma |3] that 

\D\^n-f + 1^2 

and one process can crash in the runs of M'. 

(D) We will show that for every run p' E ^A'y^_, there is a corresponding run p € Ma such that p' ~ p. 
Fix any p' G TW'^ _ and consider the run p G M-a where every correct process in D has the same 
sequence of states in p as in p', and all remaining processes — of which there are ^ / — 1 — are 
initially dead in p. Such a run p exists, since A^-p is the restriction of A (see Definition [B. 

We can therefore apply Theorem [T] and conclude that A does not solve k-set agreement. ■ 
Since an impossibility under stronger assumptions implies impossibility under weaker ones, we have 
the following corollary: 

Corollary 5. The impossibility of k-set agreement from Theorem |2] continues to hold under weaker 
assumptions, in particular, if processes are asynchronous, broadcasts are not possible in one step, sending 
and receiving within one atomic step is not possible, and all f processes may fail by crashing. 

VI. Possibility of fe-Set Agreement with Initially Dead Processes 

In this section, we will show that Theorem |2] tightly captures the impossibiUty of k-set agreement, by 
presenting a matching bound for the solvability of k-set agreement in asynchronous systems with / initial 
crashes. 

For the consensus case A; = 1, we know from [14] that it is sufficient for a majority of processes to be 
correct. The protocol of ||T41 operates in two stages: In the first stage, each process broadcasts a message 
(containing its process id). Every process then waits until it has received L — 1 (where L is [(n + l)/2]) 
messages. 

In the second stage, every process broadcasts a message containing its initial value and the list of L — 1 
processes it has received messages from in the first stage. Then it waits for messages from those L — 1 
processes it has received messages from in the first stage, and for a message from every remote process 
mentioned in one of the lists it receives. 
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Now consider a directed simple graph, in which each node corresponds to a process and there is an edge 
from u to w iff the process corresponding to w has received a message from the process corresponding 
to u in the first stage. Let us call this graph G. Clearly, every node in G has in-degree L — 1. Processes 
only know some part of G after the first stage, but have got complete and consistent knowledge of G 
after the second stage. At this point, every process can thus consistently determine an initial clique C in 
G, i.e., a fully connected maximal subgraph with no incoming edges. Since n > 2f, exactly one such G 
must exist. A deterministic rule for choosing one of the proposal values of the processes in G (e.g., the 
value proposed by the process whose identifier is minimal in the cUque) is used as the decision value of 
every process. 

For the general case A; ^ 1, we can use the same algorithm if we can make sure that each process can 
determine one of at most k initial cliques. We will now determine a value for L, which guarantees this 
for some given k. Note that the ability to select a value for L is also restricted by /. Thus, by combining 
the relations between L and k and /, respectively, we will be able to determine the range of / for which 
k-set agreement is solvable. 

We call a strongly connected component C of a directed graph a source component, if, in the directed 
acyclic graph (DAG) generated by contracting all vertices of the strongly connected components of G 
into single vertices, the vertex corresponding to C is a source, i.e., has in-degree 0. 

Lemma 6. Every finite directed simple graph G = (V, E), where each vertex v has at least in-degree 
6 > 0, has a source component G of size at least 5 + 1. 

Proof: Obviously, the graph G' obtained from G by contracting all vertices in each strongly connected 
component is a directed acyclic graph. Like every DAG, G' has at least one vertex c' with in-degree 
0. Let G be the set of processes in G that were contracted to c'. By definition, G must be a source 
component, so it remains to show that \G\ ^ 6 + 1. Take any vertex v £ G. Clearly, all in-neighbours of 
V must also be in C, since C is a source component. Thus, G must contain at least 6 vertices besides v. 

m 

Lemma 7. Consider a finite directed simple graph G, where each process has at least in-degree 5 > 0. 
In each weakly connected component of G, there exists at least one source component G of size at least 
6 + 1. 

Proof: Follows by using the previous theorem for each sub-graph corresponding to a weakly con- 
nected component. ■ 

From this lemma, it follows that every process has (at least) one directed incoming path from all the 
processes in (at least) one source component. Moreover, it is easy to see that, when 26 ^ n, then there 
can be only one source component, i.e., no more than [n/{6 + 1)J. 

Returning to the algorithm from |[T4l . we find that detecting locally which processes belong to the 
initial clique C in G is equivalent to locally detecting which processes belong to the source component 
a process is connected to. Moreover, as mentioned earlier, waiting for L — 1 messages in the first stage 
clearly induces a graph G with 6 = L — 1, and thus at most [n/L\ source components. From this it 
follows that processes will decide on at most [n/L\ values, so k-set agreement with A; ^ [n/Lj is indeed 
solvable. 

As our last step, we have to relate L to the bound on the number of initially crashed processes /. On 
one hand, we want L to be as large as possible in order to decrease the number of source components. 
On the other hand, since processes wait until they have received a message from L — 1 remote processes 
in the first stage, it is clearly not advisable to choose L — I ^ n — f. Therefore, we now fix L = n — /, 
which leads to fc-set agreement being solvable when k ^ [n/(n — /)J . Since n, f, and k are all integers. 
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we get that k + I > n/{n — f) and hence kn > {k + 1)/. Note that, for k = 1, this matches the 
requirement of a majority of correct processes. 

Considering the border case kn = {k + 1)/, we get n — / = n/(/c + 1). A standard partitioning 
argument reveals that A;-set agreement is impossible in this case: Assume that there is an algorithm A 
that solves A:-set agreement in such a system. The above condition on n and / implies that we can 
partition the system into /c + 1 disjoint groups of processes Ho, . . . ,Hk- From the set of possible input 
values V, choose any vq,. . . ,Vk, s.t., Vi = vj <^ i = j. Clearly, for each i, there is an execution Si of 
A where all processes in Ilj have initial value Vi and all processes in 11 \ Ilj are initially dead. Since A 
solves k-set agreement, all processes in Ilj have to eventually decide on Vi in ej. Therefore, by delaying 
messages between the partitions Ilj sufficiently long, it is easy to construct an execution e without any 
initial crashes, which is indistinguishable (until decision) for all p € Ilj from Si, ^ i ^ k. But now 
we have k + I different decision values (i.e., vq, . . . ,Vk) in e, which contradicts the assumption that A 
solves /c-set agreement. Therefore, we have obtained the following result: 

Theorem 8. In an asynchronous system with n processes up to f of which may be initially dead, k-set 
agreement is solvable if and only if kn > [k + l)f or, equivalently. 



VII. Impossibility with Failure Detector {llk,^k) 

In this section, we will demonstrate the full power of Theorem [T] by deriving a new result: We prove the 
impossibility of achieving fc-set agreement with failure detector (Sfc,r2fc), for all 1 < A; < n — 1. In lH 
Theorem 2], it was shown that /c-set agreement is impossible with if 1 < 2k'^ ^ n, which is a 

much more restrictive bound than the one given by Theorem [TO] below. 

For our impossibility proof, we will make use of a certain stronger failure detector that nevertheless 
allows up to k partitions. Note that this actually strengthens our impossibility result. 

Definition 7. Let {Di, . . . , Dk-i, D^} be a partitioning of the processes in 11, and let D = D^- The 
partition failure detector (S'^,r2^) provides failure detector histories with the following properties: 

1) For 1 ^ i ^ fc, the output of S'^ at every process in Di is a valid history for S (= Si) in the 
restricted model Mj = {Di) (where only processes from Di are ever output by S), with an additional 
condition: Let tj be the earliest point in time when pj G F{tj), for any pj € Di. If tj is finite, then 
\/t ^ tj it holds that the output of at pj is defined to be the whole set 11. 

2) Let LDj denote the set of k leader candidates that is the output of Q'j^ at process pj at some point 
in time t. We just assum^ 17'^ = ^7^, i.e., LDj must satisfy Definition [5] for some stablilization time 
^gst: There exists a set LD of k processes and an index I ^ j ^ k with LD n Dj n (11 \ F) 7^ 0, 
such that the output LDj of every correct process pj G 11 is LD for all t ^ tcsT- 

We call a history of (i;'^,r2^) a partitioning history. 

Lemma 9. Failure detector (S^, $7^) is weaker than (S^, J7^). 

Proof: Consider an arbitrary finite stabilization time tosT- Since = Q^, every history of (S^, 17'^) 
obviously satisfies the (Eventual Leadership) property of Q^- 

To show that every history of (S^, 0'^) also satisfies the properties of S^, choose any set P of + 1 
processes in 11. First, observe that the combined liveness conditions of the local S histories immediately 

^Actually, it would be possible to also strengthen Q,'/.. As this somewhat obfuscates key ideas of the proof, however, we 
dropped this generalization in this paper. 
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imply that liveness holds for (see Definition |4l). By the pigeon hole principle, at least two processes of 
P must be in in the same set Di, for some 1 ^ i ^ A;, where = D. Hence, the intersection property 
of S in {Di) implies that the history is valid for S^, which completes the proof. ■ 
We are now ready for stating our major theorem: 

Theorem 10. There is no {n — l)-resilient algorithm that solves k-set agreement in an asynchronous 
system with failure detector (S^, O^), for all 2 ^ k ^ n — 2. 

Proof: We assume by contradiction that there is such an algorithm A. Note that there are exactly 
n = k — I + j processes in the system, for some j ^ 3. Consider the following partitioning of 11: Let 
D = {pi, . . . ,pj} and choose Di, . . . , D^-i such that they partition the set 11 \ D; since 

D= \J Di,i.e.,\D\=n-j = k-l, 

such a partitioning exists. 

We will actually prove the impossibility for A provided with the stronger failure detector 
This impossibility can be carried over to A provided with (S^, Qk) by using Lemma |9] 

We start with two technical lemmas, which justify why we call histories of "partitioning 
histories": Intuitively speaking, it is straightforward to combine histories at different processes. The first 
lemma proves that we can "paste together" different executions at partition boundaries. Let TZ C 7^^^ -^^ 
be the set of runs where all communication between the sets of processes Di, . . . , D is delayed 

until every correct process has decided, and assume that 7^ ^ (which will be proved in Lemma [T2] 
below). 

Lemma 11. Let (3 G TZ (and hence (3 G TZ^j^ and (3 G '^(Dj) cind a G TZ^-j^^ be given, where t^^^ resp. 
^dec denotes the time when the last process in D has crashed or decided in a resp. f3. Then, the run j3' 
obtained from /3 by 

1) replacing Hp{p,t) by Haip,t) at all processes p £ D at all times t ^ 0, 

2) setting Ff3,{t) = (F/3(t) n (11 \ D)) U {Fa{t) D D) at all times t ^ 0, and hence F^, = {Fp n (11 \ 
D))iJ{F^r\D), _ 

3) letting the processes in D receive messages and perform their steps exactly as in a, 

4 ) delivering messages between Di , . . . , Dj^ only after all correct processes have decided in f3', 

5) choosing some (arbitratily large) tQST ^ ™^^{*dec' ^deci '^^^ some set LD that satisfies LD H (11 \ 
Fl3' ) 7^ 0> ^nd setting LDj = LD in Hp' for all processes p j G 11 \ Fpi and all t ^ tcsT 

satisfies (3' G TZ. 

Proof: We must show that (i) the processes in Di, . . . , see the same history in /?' and [3 until 
*GST> (ii) that the processes in D see the same history in (3' and a until tGST> and (iii) that the history 
of (3' is a valid partitioning history: Then, correct processes can indeed take the same steps in /?' as in 
/3 resp. a, and hence decide the same. Since (3 € TZ and a G TZ^y this implies (3' G TZ. 

Consider any pj G Di, for some 1 ^ i ^ fc. The S'^ output of processes in Di is not affected by 
changing the histories in D, as the failure pattern for the processes in Di remains the same w.rt. (3 
(for 1 ^ i ^ A: — 1) resp. a (for i = k) and quorums in different partitions are disjoint according 
to Definition |7J The same holds true for the O'^ part, since the leader output of pj is independent of 
the leader output at any other process before stabilization time tcsT, after which it satisfies (Eventual 
Leadership) by construction. ■ 

The next lemma shows that there are indeed "partitioned" executions, where all processes decide: 
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Lemma 12. T^^,^ ^J) 7^ 21' ''^ particular, R C T^^-j^ nonempty. 

Proof: Fix any Dj, for 1 ^ i ^ /c and = D. Consider a run ai where all processes not in Di are 
initially dead; let Hi denote the history of Oj. Due to (Eventual Leadership) of il'^, there exists a time 
t^ST and a set LD^ with LD* n A n (n \ F) / such that LD* = LD* for all pj G A and t ^ t^s^- 
Since A is correct, all correct processes in A eventually decide in q^; let tj be the point in time when 
all processes in Di have either crashed or decided. 

Using exactly the same arguments as in the proof of Lemma [TT] we can construct a run a by "pasting" 
the executions ai, \ ^ i ^ k, one after the other: In the resulting a, all processes in 11 fail exactly 
as in their respective ai, all communication between the sets Di, . . . , Df^ is delayed until time r = 
max(ti, . . . ,tk), and all processes in A> for every I ^ i ^ k, take exactly the same steps as in ai. 
The history of a is equal to the union of the histories Hi for all t ^ 0, except that we choose some 
(arbitratily large) tcsT ^ and any set LD (which obviously satisfies LD n Dj n {H \ F) ^ ^ for 
some j) and require LDj = LD for all processes pj G Il \ F and all t ^ tosx- Obviously, H satisfies 
Definition |7J so a is admissible and all processes decide in a, i.e., a £ TZ. ■ 

Equipped with these results, we can now establish the conditions required for applying Theorem 

(A) Consider the run where all processes outside D are initially dead, then clearly processes in D 
decide before receiving a message from a processes outside D. Since € T^^y we obviously have 

(B) Consider any run a G ^(D) with a (partitioning) failure detector history Ha and failure pattern Fa, 
and let 71 C 7^^^ -^^ be the set of runs where all communication between the sets of processes 
Di, . . . , Dk-i, D is delayed until every correct process has decided. Now choose a run /? € 7^ that 
satisfies the conditions of Lemma [TTl Lemma [12] guarantees that it exists. Lemma [TT] provides us 
with an execution /3' £TZ that is indistinguishable from a for all processes in D until decision, i.e., 

Q ~ /?'; recalling that /3' £ TZ CI TZ^j^ j^y we have thus shown that TZ^j^^ IZ^p j^y 

(C) We will first choose an appropriately restricted model M': Since \D\ = j ^ 3, let M' = (D) be an 
asynchronous system where up to j — 1 processes may fail by crashing. Moreover, M' is augmented 
with a failure detector that is compatible to (S'^., il'^), in the sense that its failure detector histories 
can be extended to match an admissible history of (S'^,i7'^) in M, without changing the output at 
processes in D: Considering Definition [7] we just assume that processes in M' effectively access a 
failure detector (5],r), where F satisfies the part of Definition [7] that concerns 0,^ in the following 
constrained way, for all processes in D: F outputs a possibly changing set of k process ids in the 
range of FT, which eventually stabilizes on some set LD that intersects D in exactly two processes 
Ps and pt. Obviously, this restriction is compatible with 0^. Note that one of ps and pt (but not 
necessarily both) may be faulty. Using F we can easily implement ^2 for M' (the transformation 
uses F to eventually choose two fixed processes from D), thus (S,F) is weaker than (S,il2)- 
Moreover, (S,il2) is strictly weaker than (S,r2), as there is no transformation T providing the 
properties of from those of (S,r22)- If T existed, we could use it to obtain a wait-free 
transformation T' for shared memory to obtain from $^2 (by simulating an asynchronous message 
passing system equipped with S, cf. |[9l) which contradicts the results of ||2TI . Since (S,f^) is the 
weakest failure detector for solving consensus, we can therefore conclude that (S,F) is too weak 
for solving consensus in M'. 

(D) Finally, for any run in 7W^_, there is obviously a run in TZ^^ where all processes in D are initially 

dead, the processes in D take identical steps, fail at the same time, and receive the same failure 
detector output and the same messages. Hence, ^jj ^(U) and, by transitivity, ^73 Ma- 

Applying Theorem \T\ thus yields the required contradiction. ■ 
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From ||3l, we know that is sufficient for solving (n— l)-set agreement, Obviously, this implies 

that (S„_i,r2„_i) is also sufficient for (n— l)-set agreement. Together with the fact that is 
sufficient for solving consensus fTOl, we have the following result: 

Corollary 13. There is an (n — l)-resilient algorithm that solves k-set agreement with failure detector 
class (Sfc, in an asynchronous system, if and only if k = 1 or k = n — 1. 

VIII. Discussion 

In this paper, we introduced a reduction to consensus for generically characterizing the impossibility 
of A:-set agreement in message passing systems. The main advantage of our approach is that we are 
independent of a specific system model, since Theorem [T] neither makes assumptions on the available 
amount of synchrony, nor on the power of computing steps and communication primitives available to 
the processes. This genericity allows to apply our theorem in very different contexts. In this paper, we 
have used our result to derive impossibility results both for partially synchronous systems [12] and for 
asynchronous systems augmented with failure detectors [3 |, L6J. However, we are confident that it can 
also be used to establish impossibility results in round models like HI, |[T5l . |[T9l . 

A particularly promising application of our theorem is as both a guidance and quick verification tool 
for finding new models and algorithms for k-set agreement. This is particularly true for the quest for the 
(still unknown) weakest failure detector for solving message-passing A;-set agreement: As we have shown, 
Sfc, which is known to be necessary for A;-set agreement in [3], is not powerful enough for overcoming 
the fatal partitioning into k subsystems. So what can be learned from our result is that, whatever one 
adds to Sfc, it has to allow solving consensus in each partition. 

Our future work on this topic will involve (i) identifying other settings where Theorem [T] can be 
applied, (ii) developing a general theory of T-independence for failure detectors and other message 
passing systems, and (iii) finding weak system models that provide just enough synchrony to circumvent 
the impossibility condition. 
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